Devalue
CVE-2026-22774
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2.
AnalysisAI
Denial of service in Svelte devalue versions 5.3.0 through 5.6.1 allows remote attackers to exhaust CPU and memory resources by supplying malformed input to the parse function, affecting applications that process untrusted data. The vulnerability stems from insufficient validation of typed array inputs before hydration, enabling attackers to trigger excessive resource consumption. Update to version 5.6.2 or later to remediate.
Technical ContextAI
Affects Devalue. Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the as
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 5.6.2.. Restrict network access to the affected service where possible.
In devalue v5.6.3, `devalue.parse` and `devalue.unflatten` were susceptible to prototype pollution via maliciously craft
Denial of service in Svelte devalue library versions 5.1.0 through 5.6.1 allows remote attackers to exhaust CPU and memo
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-vw5p-8cq8-m7mv